DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Follow-up on the Gulf Coast Health Care Services breach

Posted on November 26, 2012 by Dissent

Back on November 10, I noted that HHS’s breach tool had added an entry for Gulf Coast Health Care Services:

Gulf Coast Health Care Services  in Florida suffered a network compromise on August 17 that reportedly affected 13,000 patients. The incident was reported to HHS as “Theft, UnauthorizedAccess/Disclosure, Hacking/IT Incident”,Network Server.

I commented at the time, ” I really wish HHS would refine their response categories.” After finding out more about the breach, I’m even more convinced that we would all benefit if HHS refined its reporting form.

Based on my interview with Craig Brimm, Privacy Officer for the firm,  this was a messy insider breach that actually started in June 2012 (not August 17, as indicated on HHS’s breach tool)  after a psychiatrist left their practice and started calling patients to recruit them for her new practice.  It is not clear whether the psychiatrist took any patient contact information with her, but the firm later discovered that on June 29, their receptionist accessed patient databases for both of the firm’s locations and started downloading patient information.   Later investigation revealed that the same receptionist downloaded information on other occasions in August and September.   During the investigation, evidence was uncovered that  the receptionist had been in contact with both the psychiatrist and a nurse practitioner who had also left the practice. Gulf Coast believes that the receptionist supplied these two former employers with patient contact information.

Gulf Coast first discovered the breach on September 26 when patients alerted them that they were receiving unsolicited phone calls recruiting them as patients. The firm also started receiving faxed requests for the patients’ records.

The matter was referred to law enforcement on September 28.

According to Brimm, the receptionist had downloaded approximately 13,000 patients’ name, address, phone number, and date of birth.

Brimm sent PHIprivacy.net the following statement/substitute notice:

Gulf Coast Health Care Services Notice Concerning Patient Privacy Breach

11-16-2012

On September 26, Gulf Coast Health Care Services Inc. discovered that an employee had, without authorization or legitimate purpose, accessed and downloaded limited information on our patients. Forensic investigation revealed that the unauthorized access occurred on five occasions between June 29, 2012 and September 20, 2012.

The types of information accessed included patients’ names, addresses, dates of birth, and phone numbers for all patients seen in this office since 1992. The employee did not access any medical information, Social Security numbers or financial information. We believe that the data were stolen and provided to other practitioners who have used our patient contact information to try to recruit patients for their own practices. Because of the nature of this breach, we do not believe that our patients are at any risk of ID theft.

On September 28, the matter was reported to the FBI, the Sarasota Police Department, and the Florida Department of Law Enforcement. The incident was also reported to the U.S. Department of Health and Human Services Office of Civil Rights in compliance with federal law.  The breach remains under active investigation by all agencies that were notified.

Gulf Coast Health Care Services deeply regrets any distress patients may have experienced due to unsolicited phone calls from other practices. We have been working with security experts to further limit access to our patient databases, and assure patients that we care about their privacy.

If you have any questions or concerns or wish to report unsolicited contact from other practitioners, please call D. Craig Brimm, Privacy Officer at 941-343-3033 or e-mail [email protected].

Would you have guessed that this was an insider breach of this kind from HHS’s breach tool entry? Even though “unauthorized access” was included in their list of possibilities, would your first thought have been insider breach or would it have been a hack or theft?

I’m not sure how we can persuade HHS to refine their reporting tool, but having fuller information would sure be helpful.

No related posts.

Category: Uncategorized

Post navigation

← Follow-up: Brighton and Sussex University Hospitals NHS Trust data breach fine reduced for timely payment
Sourcefire laptop with employee data stolen →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.